On Fri, Sep 26, 2003 at 09:31:41AM -0400, Stephen Frost wrote:
> > The idea in your case is to use kerberos for authentication (pam_krb5) and
> > ldap for authorization (nss_ldap). You won't be using pam_ldap, since you
> > don't even use the userPassword attribute.
>
> It's possible you'd want to use pam_ldap for (authorization), perhaps on a
> per-service basis (allow for POP3 but not for ssh, for example). Or if
> you want to have all UIDs available but only allow access for certain
> people (NFS server or other reasons).
Correct indeed. There are many authorization mechanisms that can be used with
pam, such as the host attribute, or a forced group membership.